search

bungle / lua-resty-session

Session library for OpenResty – flexible and secure
BSD 2-Clause "Simplified" License
319 stars 111 forks source link

Only opening a single session per user #131

Open sagivoulu opened 3 years ago

sagivoulu commented 3 years ago

I am using lua-resty-session along side lua-resty-openidc in order to authenticate users & create a session for them.

No our security team wants me to only allow a single session per user (The assumption is that if Alice has two sessions from two computers than one of these sessions must not be Alice).

Do you know how this can be done with lua-resty-session? What I am thinking of doing is everytime a user logins and lua creates a session for him, I will search for another session with the same user id. if another session exists, the other session will be destroyed (Basically everytime Alice logs in from a new computer, all other older sessions get destroyed).

So any idea how this can be done? Is there an option to find a session object by content? something like:

session.find({user_id: "alice"})

P.S. I am storing the sessions in a shared redis instance

bungle commented 1 year ago

The 4.0.0 has store_metadata option. Next we need to start using this data.